ICO consultation on the draft updated data 
sharing code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data have 
high data protection standards, sharing data in ways that are fair, transparent 
and accountable. We also want organisations to be confident when dealing with 
data sharing matters, so individuals can be confident their data has been 
shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating our 
data sharing code of practice, which was published in 2011. We are now 
seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data protection 
legislation where these changes are relevant to data sharing. It addresses 
many aspects of the new legislation including transparency, lawful bases for 
processing, the new accountability principle and the requirement to record 
processing activities. 


The draft updated code continues to provide practical guidance in relation to 
data sharing and promotes good practice in the sharing of personal data. It 
also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the publication of 
the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call for 
views in August 2018. You can view a summary of the responses and some of 
the individual responses here. 


If you wish to make any comments not covered by the questions in the survey, 
or you have any general queries about the consultation, please email us at 
datasharingcode@ico.org.uk 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where the 
respondent indicates that they are an individual acting in a private capacity 
(e.g. a member of the public). All responses from organisations and individuals 
responding in a professional capacity will be published. We will remove email 
addresses and telephone numbers from these responses; but apart from this, 
we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Please note that we are using the platform Snap Surveys to gather this 
information. Any data collected by Snap Surveys for ICO is stored on UK 
servers. You can read their Privacy Policy. 


Qi Does the updated code adequately explain and advise on the new aspects of 
data protection legislation which are relevant to data sharing? 


O Yes 
© No 


Q2 If not, please specify where improvements could be made. 


It is vague and abstract. There should be 10x more practical examples. There is lots of 
unclear wording such as: * "You must also ensure that the sharing happens in a way that 
people would not find unexpected or objectionable". Exactly what does "people" mean in that 
sentence - 2 people, a few people, a significant number of people, or all people? * "You 
must ensure that individuals know what is happening to their data. They must know which 
organisations are sharing their personal data". What does "must know" mean in that 
sentence - they have been given a chance to find out, they have been told the information 
exists and given a link to it, they have been shown the information, or you have tested their 
knowledge to make sure? 


Q3 Does the draft code cover the right issues about data sharing? 


O Yes 
© No 


Q4 If no, what other issues would you like to be covered in it? 


(1) The code states, "Data sharing covered by this code ... For the purposes of this code, it 
does not include sharing data with employees, or with processors". I believe the 
overwhelming majority of data sharing is with employees or processors, so this limitation 
makes it much less valuable. (2) The code does not mention "ecommerce" or "advertising", 


but mentions "police" 25 times. Much more balance between public and private sector is 
necessary. 


Q5 Does the draft code contain the right level of detail? 
O Yes 
© No 

Q6 Ifno, in what areas should there be more detail within the draft code? 


There should be 10x more practical examples, especially about data sharing in ecommerce. 


Q7 Has the draft code sufficiently addressed new areas or developments in data 


protection that are having an impact on your organisation’s data sharing 
practices? 


O Yes 
© No 


Q8 Ifno, please specify what areas are not being addressed, or not being 
addressed in enough detail. 


Don't know, but there it no option to choose this. 


Q9 Does the draft code provide enough clarity on good practice in data sharing? 


O Yes 
© No 


Q10 If no, please indicate the section(s) of the draft code which could be improved, 
and what can be done to make the section(s) clearer. 


Don't know, but there it no option to choose this. 


Q1i1 Does the draft code strike the right balance between recognising the benefits of 
sharing data and the need to protect it? 


O Yes 
© No 


Q12 


O13 


Q14 


If no, in what way does the draft code fail to strike this balance? 


The benefits are barely mentioned, possibly because most benefits come from the use of 
modern tools and services (e.g. SaaS services and delivery networks), but those involve 
controller-processor sharing. You have chosen to ignore advice on controller-processor 


sharing in the code, but I feel you cannot ignore the benefits without striking completely the 
wrong balance between benefits and protection. 


Does the draft code cover case studies or data sharing scenarios relevant to 
your organisation? 


O Yes 
© No 


Please provide any further comments or suggestions you may have about the 
draft code. 


We are a data processor working with data controllers who are ecommerce clients, and the 
code does not apply to controller-processor sharing. But thinking about our clients' needs, 


there should be 10x more practical examples, especially about data sharing in ecommerce 
and retail. 


Q15 To what extent do you agree that the draft code is clear and easy to 
understand? 


© Strongly agree 

© Agree 

© Neither agree nor disagree 
© Disagree 

© Strongly disagree 


Q16 Are you answering as: 


O An individual acting in a private capacity (e.g. someone providing their 
views as a member of the public of the public) 


© An individual acting in a professional capacity 
© On behalf of an organisation 
© Other 


Q17 Please specify 
I'm a DPO 
Q18 Please specify 


Q19 Please specify 


Thank you for taking the time to share your views and experience. 


